Container analysis and vulnerability scanning

Container Analysis provides vulnerability scanning and metadata storage for containers. The scanning service performs vulnerability scans on images in Artifact Registry and Container Registry, then stores the resulting metadata and makes it available for consumption through an API. Metadata storage lets you store information from different sources, including vulnerability scanning, Google Cloud services, and third-party providers.

Container Analysis as a strategic information API

In the context of your CI/CD pipeline, Container Analysis can be integrated to store metadata about your deployment process and make decisions based on that metadata.

At various phases of your release process, people or automated systems can add metadata that describes the result of an activity. For example, you might add metadata to your image indicating that it has passed an integration test suite or a vulnerability scan.

Container Analysis in

Figure 1. Diagram that shows Container Analysis as CI/CD pipeline component that interacts with metadata across source, build, storage, and deployment stages as well as runtime environments.

Vulnerability scanning can occur automatically or on-demand:

  • When automatic scanning is enabled, scanning triggers automatically every time you push a new image to Artifact Registry or Container Registry. Vulnerability information is continuously updated when new vulnerabilities are discovered.

  • When On-Demand Scanning is enabled, you must run a command to scan a local image or an image in Artifact Registry or Container Registry. On-Demand Scanning gives you more flexibility around when you scan containers. For example, you can scan a locally-built image and remediate vulnerabilities before storing it in a registry.

    Scanning results are available for up to 48 hours after the scan is completed, and vulnerability information is not updated after the scan.

With Container Analysis integrated into your CI/CD pipeline, you can make decisions based on that metadata. For example, you can use Binary Authorization to create deployment policies that only allow deployments for compliant images from trusted registries.

If you are currently using Container Analysis with Container Registry, the same Container Analysis APIs and Pub/Sub topics are used by both products. See the documentation for transitioning from Container Registry for more information.

To learn about using Container Analysis and costs for the optional vulnerability scanning service, see the Container Analysis documentation.